A major and growing form of fraud is the unauthorised use by one person of the payment card details of another person, in order to obtain goods or services without permission and using funds not their own. The payment cards affected include credit cards and debit cards, as well as “charge” cards and pre-paid gift cards. Originally, allowable “card not present” (CNP) transactions were devised to allow purchase of goods by mail order and by telephone order (collectively referred to as MOTO transactions). MOTO business rules and contemporary CNP transaction processing rules were developed to allow a merchant to charge a purchaser's credit card for goods or services delivered, even when the merchant does not sight the purchaser's credit card, nor the act of the cardholder signing the purchase order, nor the cardholder's signature itself in the case of telephone transactions.
In general terms, a CNP transaction can be originated by simply quoting payment card details such as the card number, the cardholder name as it appears on the card, and the card expiry date. CNP transactions have always been relatively more vulnerable to fraud than regular “card present” transactions. For many years, attempts to create fraudulent CNP transactions have centred on gaining illicit access to the necessary payment card details, most of which could be found on card statements, or on the carbon paper waste generated when recording card details through a traditional imprinter. The slang term “dumpster diving” was coined to reflect that way that fraudsters could obtain all information needed to effect false CNP transactions by looking through trash, especially in the dumpsters outside busy stores.
To combat CNP fraud, financial institutions have steadily introduced additional pieces of information that must be provided by the legitimate card holder to initiate CNP transactions, but which are harder for criminals to obtain. Chief amongst the additional pieces of information was the credit card verification (CCV) code. This is an extra number typically of three or four digits that is printed on a credit card but not embossed (as is the traditional 15 or 16 digit card account number). Because the CCV is not embossed it is not copied onto carbon paper by a card imprinter. The CCV has proven to be an effective security tool for telephone orders, because when a card holder verbally quotes their CCV to a telephone operator for entry into a verification system no trace of the CCV remains for a criminal to obtain, provided that the operator is acting honestly.
To further combat CNP fraud, financial institutions also arranged for merchant terminal receipts to not display all cardholder details, making the trash less valuable to fraudsters.
In Internet based e-commerce, the CNP rules initially proved to be useful and helped to foster an explosion in the use by consumers of transactions over the Internet, referred to as web transactions. All parties benefited from the ease of use of credit cards in web transactions supported by the CNP rules. Cardholders enjoyed the convenience of web transactions, merchants saw higher sales and many were able to develop entirely new “virtual” commerce models unencumbered by physical shop fronts, and financial institutions enjoyed higher transaction volumes and interest returns.
However, web commerce has nevertheless inadvertently led to new ways for criminals to perpetrate CNP fraud and has furnished criminals with new sources of payment card details, thus overturning most if not all previous CNP fraud prevention strategies. In particular, vast aggregations of payment card details and other personal information records are now generated as a matter of course by merchants, and by financial system intermediaries involved in processing payment card transactions. Cyber criminals now have access to stolen payment card details on a massive scale, either by directly invading and copying databases that have not been adequately secured, or by obtaining details from other criminal enterprises that have grown up around CNP and other fraud opportunities and now trade stolen personal details.
Web commerce also exacerbates the problem by making it vastly easier for criminals to launch automated illegitimate payment card transactions in great numbers. Online merchant sites may be vulnerable to attack by computers which are able to automatically replay stolen card details. Merchant web commerce servers are unable to discern whether a stream of alphanumeric data has been legitimately produced by the card holder or has been produced from stolen personal details. The fundamental vulnerability of current web commerce systems to CNP fraud relates to the fact that, on the face of it, nothing indicates to a merchant server that the alphanumerical payment card data transmitted over the network has come from a legitimate user or not. Inherently insecure communications channels such as the Internet (and to some extent the telephone network too) do not provide built-in mechanisms by which the legitimacy of a set of payment card details can be assured.
Another salient aspect of current electronic transactions is that financial institutions such as banks use a variety of non-public key methods (classically two-factor authentication) to safeguard their own internet banking services against fraud. The banks' deployment of two factor authentication has made it more difficult for criminals to ‘hack’ into bank accounts directly; that is, to gain illicit access and thence transfer funds to the attacker's accounts. However, these two factor authentication methods are only efficient in ‘closed’ systems, also known as hub and spoke systems, in which the individual must prove their bona fides to the financial institution itself. Two factor authentication is significantly more complicated to manage in open systems, where the relying party (the merchant) is not the issuer of the two factor token. It is a substantial challenge in web commerce to offer merchants accepting card-not-present transactions protection against fraud, as the banks' two factor internet banking security mechanisms do not extend to or scale up to many millions of merchants.
The acceleration in online CNP fraud is due in part to the preceding factors. Further, the deployment of Chip-and-PIN (smartcards) for combating card present fraud has been effective in reducing opportunities for criminals to skim traditional magnetic stripe payment card details and to counterfeit fake cards, making CNP fraud a more appealing target for criminals. Finance industry authorities report that globally over the past four years the industry has experienced a 50 to 100% increase in gross credit card fraud, predominantly relating to CNP fraud, leading to worldwide losses of many billions of dollars. CNP fraud is now the most prevalent form of credit card fraud in many jurisdictions.
A common response of financial institutions to CNP fraud is to require merchants to gather and scrutinise increasingly detailed ancillary private information about card holders in an effort to establish the customer's legitimacy. One set of merchant guidelines recommends obtaining card issue number, card start date, contact phone number, the name of the issuer, the CCV number and the cardholder's statement address. However collecting such data intrudes on card holder privacy, consumes significant time for customer and merchant alike, and adds to the compliance burden of merchants who must provide special systems to safeguard such personal data. These details are not otherwise required for a payment card transaction, and collecting such details exposes the customer to identity theft and in turn dilutes the effectiveness of such data for proving legitimacy.
Another response to CNP fraud is to monitor transactions for subsequent investigation, but without actually preventing completion of the transaction at the time. This type of response leads to significant direct financial losses, in addition to indirect costs relating to inconvenience, investigation, dispute resolution, and lost business due to falling confidence. Currently financial institutions usually extend refunds to card holders whose details are used fraudulently by others, and to merchants if they have been defrauded. The overall cost worldwide amounts to hundreds of millions of dollars annually, and it is rising exponentially.
Any discussion of documents, acts, materials, devices, articles or the like which has been included in the present specification is solely for the purpose of providing a context for the present invention. It is not to be taken as an admission that any or all of these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention as it existed before the priority date of each claim of this application.
Throughout this specification the word “comprise”, or variations such as “comprises” or “comprising”, will be understood to imply the inclusion of a stated element, integer or step, or group of elements, integers or steps, but not the exclusion of any other element, integer or step, or group of elements, integers or steps.